Corrupted Ukrainian accountancy software ‘MEDoc’ is suspected to be the medium of a cyberattack on companies ranging from British ad agency WPP to Tasmanian Cadbury’s factory, with many European and American firms reporting disruption to services. Banks in Ukraine, Russian oil giant Rosneft, shipping giant Maersk, a Rotterdam port operator, Dutch global parcel service TNT and US law firm DLA Piper were among those suffering inabilities to process orders or else general computer shutdowns.

Heralded as “a recent dangerous trend” by Microsoft, this attack comes just 6 weeks after the WannaCry attack primarily affecting NHS hospitals. Both attacks appear to make use of a Windows vulnerability called ‘Eternal Blue,’ thought to have been discovered by the NSA and leaked online – although the NSA has not confirmed this. The NSA’s possible use of this vulnerability, which has served to create a model for cyber-attacks for political and criminal hackers, has been described by security experts as “a nightmare scenario.”

A BBC report suggests that given 80% of all instances of this malware were in Ukraine, and that the provided email address for the ‘ransom’ closed down quickly, the attack could be politically motivated at Ukraine or those who do business in Ukraine. Recent announcements suggest it could be related to data not money.

The malware appears to have been channelled through the automatic update system, according to security experts including the malware expert credited with ending the WannaCry attack, Marcus Hutchins. The MEDoc software would have originally begun this process legitimately, but at some point the update system released the malware into numerous companies’ computer systems.

In a blog published at the end of last week, the tech firm Google have confirmed that they will stop scanning Gmail users’ emails for the sake of accruing data to be used in personalised adverts, by the end of the year. This will put the consumer version of Gmail in line with the business edition.

Google had advertised their Gmail service by offering 1GB of ‘free’ webmail storage. However, it transpired that Google was paying for this offer by running these scans.

This recent change in tactic has been met with ‘qualified’ welcome by privacy campaigners. Executive director Dr Gus Hosein of Privacy International, the British charity who have been campaigning for regulators to intervene since they discovered the scans, stated:

When they first came up with the dangerous idea of monetising the content of our communications, Privacy International warned Google against setting the precedent of breaking the confidentiality of messages for the sake of additional income. […] Of course they can now take this decision after they have consolidated their position in the marketplace as the aggregator of nearly all the data on internet usage, aside from the other giant, Facebook.

Google faced a fairly substantial backlash on account of these scans when they were discovered, notably from Microsoft, with their series of critical ‘Gmail man’ adverts, depicting a man searching through people’s messages.

However, digital rights watchdog Big Brother Watch celebrated Google’s move, describing it as “absolutely a step in the right direction, let’s hope it encourages others to follow suit.”

UK Conservative Party under investigation for breaching data protection and election law

A Channel 4 News undercover investigation has provoked ‘serious allegations’ of data protection and election offences against the Conservative Party.

The investigation uncovered the party’s use of a market research firm based in Neath, South Wales, to make thousands of cold calls to voters in marginal seats ahead of the election this month. Call centre staff followed a ‘market research’ script, but under scrutiny this script appears to canvass for specific local Conservative candidates – in a severe breach of election law.

Despite the information commissioner Elizabeth Denham’s written warnings to all major parties before the election began, reminding them of data protection law and the illegality of such telecommunications, the Conservatives operated a fake market research company. This constitutes a breach separate to election law, and mandates the Information Commissioner’s Office to investigate.

The ICO’s statement on 23rd June reads,

The investigation has uncovered what appear to be underhand and potentially unlawful practices at the centre, in calls made on behalf of the Conservative Party. These allegations include:

Misleading calls claiming to be from an ‘independent market research company’ which does not apparently exist

MyHome Installations Ltd fined £50,000 for nuisance calls

Facing somewhat less public scrutiny and condemnation than the Conservative Party, Maidstone domestic security firm MyHome Installations has been issued a £50,000 fine by the ICO for making nuisance calls.

The people who received these calls had explicitly opted out of telephone marketing by registering their numbers with the Telephone Preference Service (TPS), the “UK’s official opt-out of telephone marketing.”

The ICO received 169 complaints from members of the public who’d received unwanted calls about electrical surveys and home security from MyHome Installations Ltd.

This month the ICO has published new guidelines for direct marketers, with a particular emphasis on consent. Those companies who make it difficult for their customers to find the “small print” run the risk of finding their so-called consent is invalid. Essentially the ICO is looking to tighten up current consent policies, by, for example, putting tighter time limits on the period covered by consent, ensuring that the customer is not forced into consenting as part of any service policy. Users of personal data are going to need to get used to a greater transparency and trust between themselves and their customers. It is likely that a more creative approach to obtaining consent will be required – such as an explanation of the benefits designed to appeal to the consumer.

Third party use of data is going to become increasingly difficult too, with the onus put on the user for evidence that consent really has been given to the list provider (see Steve’s article on email marketing success).

If you are concerned that you are not entirely certain what is needed to keep your future campaigns compliant, then contact Victoria – victoria@tuffillverner.co.uk

Unsolicited direct marketing calls – the penalties

The Information Commissioner’s Office (ICO) is clamping down on businesses who make unsolicited direct marketing calls. The law currently requires the ICO to prove that calls or texts are causing substantial damage or substantial distress before issuing a penalty to the perpetrator. The ICO is now asking the government to reduce the degree of harm that needs to be proven – the aim is that an investigation would have to simply prove annoyance or nuisance before acting.

The ICO routinely collects data from complaints both to their own office and to TPS, which helps identify organisations who may cause concern.

As a result of that activity, in the first quarter of 2013, the ICO issued their first fine for making unsolicited live marketing calls. DM Design, was fined £90,000. In the last quarter the ICO has issued two further monetary penalty notices for making unsolicited calls – against Nationwide Energy Services (£125,000 penalty) and We Claim you Gain (£100,000 penalty) – not insubstantial amounts.

The main topics of cold marketing calls are still PPI, then Energy / Green energy and Accident claims. These are closely followed by debt management.

Automated calls can be made from outside the UK, in which case the steps to be taken against those companies making the calls are obviously limited.

It is clear that the ICO is determined to make it very plain to all companies and organisations using (or selling) data for marketing purposes, that they must follow the law.

They select a number of companies for monitoring based on the complaints they – and TPS receive. They then review the complaints levels – and it’s amazing what a little fear can do to make even quite large companies adjust their thinking in this area. For example, Talk Talk saw a massive 75% reduction in complaints in the nine months of monitoring; British Gas a 59% reduction in complaints over the same period; while Scottish Power complaints were reduced by 30%.

Encryption: do you understand the options available and how you can use them?

The Data Protection Act requires organisations that are storing personal information electronically to have appropriate measures in place to keep the information secure. If the loss of this information would cause damage and distress to those affected then the Information Commissioner’s Office (ICO) expect the information to be encrypted.

If it isn’t, then an organisation is not keeping the information secure and leaving themselves open to possible enforcement action. Penalties totalling £700,000 have so far been issued to organisations who have failed to properly encrypt their data.

So it’s definitely worth looking at the different types of encryption available and making them work for your organisation. If you are thinking about the need for encryption but don’t fully understand the different options available to you, then do contact Tony at tony@tuffillverner.co.uk

Subject access requests – failure to comply can be costly

Following the publication last month of the Subject Access Code of Practice, the handling of subject access requests is becoming increasingly important. After a complaint from a member of the public, action has been taken against Cardiff City Council systemic failures leading to the inability for the council to respond to individuals’ subject access requests within the 40 day time limit.

So it’s worth noting the importance of tightening up procedures and making sure staff are properly trained to handle such requests in compliance with the DPA.

It is well worth reviewing the measures you have in place to make sure personal information being accessed and used by home workers is being kept secure. It is now becoming increasingly popular for individuals to work from home, and to access data via tablets and smartphones.

Aberdeen City Council has just been served with a penalty of £100,000 after sensitive personal information relating to the care of vulnerable children was inadvertently posted online by one of their home workers. The information was freely available for a three-month period before a council employee spotted it and the information was taken down.

An investigation found that the council had no means of monitoring how personal information was being accessed and used by their home workers and, worse yet, provided no guidance to help people working from home keep personal information secure.

So do make sure you follow the guidelines, especially if your employees are using smartphones and other personal devices to access personal data outside the office. If you’d like some information on the sorts of measures you should be taking, please contact Michelle – michelle@tuffillverner.co.uk

New teaching materials will help young people to take control of their information

Great news that the ICO has published new teaching materials for schools to help teachers explain to young people the importance of looking after their personal information. Especially since a 2011 survey showed that, although 9 out of 10 secondary school pupils were using a social networking website, 60% paid no attention to that website’s privacy policy.

The educational material has been developed by teachers and tailored to specific areas of the curriculum with a focus on helping youngsters understand the value and importance of their personal information and teaching them how they can look after it.

No surprise after Leveson consultation that the Press is deemed to need further guidance on conduct and ethics

Last year’s Leveson Inquiry provided a number of recommendations relating to the conduct and ethics of the press. The most high-profile recommendation for the ICO office was that it should better educate the press about their legal obligations under the DPA.

A consultation was launched in March to find out stakeholder’s views on a potential code of practice to explain the law as it stands. Responses were received from several media companies, individuals, regulators and representative bodies. The responses have raised concerns that any new code of practice would cause confusion with the existing editor’s code!

Tuffill Verner Associates provides data compliance advice – if you have any concerns or are unclear on a particular issue, just drop us an email or give us a call.